The DeFi Fulcrum protocol developed by bZX, which recently restarted in February after a series of hacks that forced the team to regroup, was hacked again for about $ 8 million.
After the incident has been disclosed by bZX, The culprit is a line of code that is placed in the wrong place in your “iTokens” contract. This is the token that represents a user’s participation in the provided assets. What is essentially a token deposit balance.
A solution was quickly provided to prevent further incidents from occurring. How highlighted Anton Bukov, Chief Technology Officer of 1inch.exchange, simply moved a line of code down several positions with the fix.
The bug duplicated tokens when a user sent a transaction to themselves through a certain function. Under the hood, the contract simply subtracts the value of the sender’s transaction and adds it to that of the recipient. The contract created temporary variables that represented the opening balances of issuers and recipients and used them to update them.
However, if the receiver and sender are the same, the subtraction is done after setting the variables of the opening balance. That meant that The theft had no effect, so the attackers could just create new tokens at will.
The duplicate tokens were then exchanged for the underlying collateral, and hackers now “owned” a much larger percentage of the pool. This enabled them to get 219,199.66 LINK, 4,502.70 Ether (ETH), 1,756,351.27 Tether (USDT), 1,412,048.48 USD Coin (USDC) and 667,988.62 Dai (DAI) worth a total of $ 8 million to exhaust.
Past experience prompted bZX to set up an insurance fund to cover these “Black Swan Events” where the stolen coins were debited to the fund, which receives 10% of the protocol’s revenue through fees. interest. However, the Fulcrum Protocol was only valued at $ 6 million in total after the incident.
Therefore, paying back this debt can take a long time and is based on the protocol being successful despite these failures.. The bZX team has committed to backing up practices with multiple Certik and PeckShield audits as well as a reinvigorated bug bounty program.
This seems to have been inadequate and shows that creating a secure DeFi protocol is more difficult than it sounds.
Don’t stop reading: